Your privacy and CCV

You entrust CCV with your payment and personal data. We attach great importance to that trust. We would like to take this opportunity to explain how we protect your personal data.

We have been in the business of handling payment data – yours and those of millions of other people in Europe – for decades now. That is why we comply with the following legislation:

General Data Protection Regulation (GDPR) of the European Union

Our operational processes are set up in full conformity with the stringent requirements of each of these pieces of legislation. We have also put in place robust measures to protect data traffic. That is how we ensure your and your customers’ privacy.

Basic privacy principles

In a nutshell, our compliance with these laws means that we observe the following basic principles:

We will inform you of your rights and will not take action unless and until you give permission to process your data.

We will only use your personal data to perform our work.

We will only collect data that we need in order to perform our work.

We will ensure that your personal data are and remain correct.

We will not retain your personal data for longer than necessary.

We will protect your personal data against access by unauthorized parties, loss or destruction.

We can demonstrate our compliance with these principles.

Data manager and data processor

From a legal perspective, we fulfil a dual role when it comes to privacy. We record and manage personal data of our clients, your customers and our employees. Officially, we are a data manager in that capacity and, as such, accountable for the careful handling of data.

Contact

If you need any help, our customer service department will be happy to assist you.

You have the right to access the personal data about you that we have on record. If you want to exercise this right, we must first verify your identity before we can start retrieving your data. You will be sent all the data about you that we have. We will also inform you of the details of our processing method, including the purpose, retention period, the parties that we share data with, and how data have been obtained. We aim to provide you with an overview of these data within one month. We will inform you if we expect it to take longer.

You have the right to correct or supplement the personal data about you that we have on record. You also have the right to delete part of your data in order to restrict how much data we can use in the future. And you have what is known as the ‘right to be forgotten’, which means that all the data about you we have on record will be deleted. However, we are required by law to retain certain data, so these we cannot delete.

You have the right to request the digital transfer to a different organization of data that CCV has on record about you. If you want to exercise this right, we will provide your data to you in a structured and generally accepted file format. We are only allowed to do this with personal data that you provided to us in person, or if you gave express permission to process such data, or with data we obtained as result of the fulfilment of our agreement. We aim to complete preparing the file for data transfer within one month. We will inform you if we expect it to take longer.

If you think that we are wrongfully processing personal data about you, we encourage you to make this known to us. If your objection is justified, we will stop processing your personal data. You can also file an official complaint if you think your data are not being handled with due care. When we receive a complaint, we will carefully review our processes and work to eliminate any shortcomings we identify. We aim to address your complaint within five business days. We will inform you if we expect it to take longer. If we are unable to reach agreement, you have the option of submitting your complaint to the Dutch Data Protection Authority.

How we handle your data

We use a range of technological and organizational measures to protect your privacy as effectively as possible. With certifications from national and international quality and safety standards organizations, we demonstrate how serious we are about protecting your privacy. These certifications include compliance with the Payment Card Industry Data Security Standard (PCI DSS). We use the following methods to protect your privacy in our work processes.

Triple data protection

First and foremost, responsibility for the careful handling of data rests with our colleagues whose day-to-day work involves the processing of personal data. They know how data are processed and have access to the content of applications. They also assess the proper functioning of all processes on a daily basis.

They are backed up by support and advice from the risk management department and the data protection officer, who draft policies, conduct risk analyses, and assess whether the processes comply with applicable laws and regulations.

Lastly, our independent internal audit department and the data protection officer will check if the aforementioned colleagues work together effectively, and whether we actually fulfil all our legal and business obligations.

Purpose of data usage

Personal data about employees will only be used to carry out our duties as an employer. Personal data about clients will only be used to provide our services, for instance to:

Conclude or amend agreements

Process and analyse payment transactions

Resolve disputes and disputed payment transactions

Prevent and address fraud and other unlawful activities

Analyse data in order to improve our services

Initiate, coordinate and outsource work processes

Perform specific marketing activities

Retention period

Personal data will not be retained for longer than is necessary for the intended purpose, and will not be retained beyond the statutory retention period. We ensure compliance with this retention period by keeping the retention period details and the corresponding personal data in the same location.

Anti-fraud measures

We work together with banks, credit card companies and other parties that combat fraud. To facilitate these efforts, it is sometimes necessary to share data with these parties. This always happens in compliance with legal requirements and only with the express permission of our data protection officer.

Staying up-to-date

Our employees are aware of the importance of privacy. They have been trained in protecting your privacy and keeping information secure. We make sure that this awareness and expertise stay up-to-date, for instance by offering an e-learning programme and through regular internal information sharing. Our data protection officer and the corporate information security officer monitor these activities.

Contact

If you need any help, our customer service department will be happy to assist you.

In the event of a data leak

No matter how effectively we perform our work, the risk of a data breach always exists. This can be the result of human error or have an external cause. A data leak is defined as a situation in which personal data is lost or ends up in the wrong hands.

In the event of a data leak, immediate action is required. We will first examine which personal data have been affected. If the breach could potentially affect your rights and freedoms, the data leak will be reported to the Dutch Data Protection Authority within 72 hours. In case of a high risk, you will also be informed right away.

In addition, the leak will be thoroughly investigated. We will get to the bottom of what happened and determine which data were exposed to risk, who the culprits might be, and how we can prevent it from happening again. This approach enables us to tighten our security. Furthermore, we will carefully record any and all findings about the data leak to ensure we can learn from them even in the future.

Reporting a data leak

Do you think a data leak may have occurred? Please inform us as quickly as possible, stating the reasons or the signals that your suspicion is based on.

Terms and definitions

Personal data

All information pertaining to an individual, for instance a name or e-mail address. It also includes data that indirectly relate to someone’s identity, i.e. personal details such as an IP address, a card number or transaction data. Combined with other data, these details can be traced to an individual.

General Data Protection Regulation (GDPR)

European legislation regulating the careful processing and free movement of personal data. This Regulation was adopted and became applicable in all EU member states on 27 April 2016, subject to a two-year transition period to enable organizations to make their administrative and operational processes compliant with the new law, which will become enforceable on 25 May 2018.

Data manager

A person or organization that – individually or in collaboration with third parties – registers or manages personal data. The data manager is also responsible for how its data processing activities are structured and function. We are the data manager of the personal data of our clients.

Data processor

A person or organization that processes personal data on behalf of the data manager. We are the data manager of payment data on behalf of a number of clients. A data processor and a data manager always conclude a contract setting out the terms and conditions that must be met to guarantee the security of personal data.

Client

A person that enters into a relationship with CCV, e.g. a visitor to our website, a person using our services or products, a supplier or a business partner.

Contact

If you need any help, our customer service department will be happy to assist you.

Our cookie policy

We use cookies to ensure our website functions properly. Cookies are small text files we send to your computer, tablet or phone. Such a file will record certain data, such as the webpages you visit. This is an entirely anonymous process; your identity will not be revealed. However, cookies do reveal certain information about your behaviour. For that reason, we would like to inform you about cookies and the options available to you.

Purpose of our cookies

Cookies are useful both for us and for you. For instance, cookies ensure you do not need to enter the same information repeatedly, and that you are presented with information that is in line with your interests. We also use cookies to analyse how you use our website. The insights gained from this help us to make the site more user-friendly.

Cookies are used for a variety of purposes:

To enable communication across a digital network

To research how our website is used

To conclude or fulfil an agreement

To deliver a service requested by you

To identify what your interests are based on how you use our site

To enable third parties to identify what your interests are

If you prefer to disable cookies

You can decide which types of cookies you want to accept, if any. However, this choice may have certain consequences. If you disable our cookies, we cannot guarantee that our website will work flawlessly.

You can change settings to determine which cookies to accept and which to disable. For instance, you may want to accept statistical cookies but not the ones for personalised information. Set your preferences now >>

You can personalise the settings of your browser – Chrome, Safari, Internet Explorer – to have it display a warning when a website wants to send a cookie, or to have it refuse all cookies or only third-party cookies. You can also delete all received cookies. Make sure you change these settings on every device and in every browser you use.

You can disable tracking by Google Analytics for all websites. If you want to do this, you can unregister for all Google cookies on their website.Go to Google and unregister >> (linkto: https://myaccount.google.com/privacy#ads)

Purpose: The Google AJAX Search API is a Javascript library that allows you to embed Google Search in your web pages and other web applications. Using API, developers can integrate Google Search, News Search and Blog Search into their website.

Purpose: Google Tag Manager allows CCV to quickly and easily update tags and code fragments on the website. Once the Tag Manager fragment has been added to the website, CCV can configure tags via a web interface without needing to change or implement additional code. This reduces the likelihood of errors and it will no longer be necessary to involve a developer when CCV needs to change something.

Purpose: Measuring conversions and making targeted offers on third-party websites. The anonymous conversion information is used to determine the value of various advertising partners on a central ad server, and this anonymous information is used to display targeted offers on third-party websites via this central ad server.

Purpose: Obtaining a better insight in visitors’ clicking behaviour, enabling improvement of the user experience on the website.

Cookies: _ga

Expiry period: No more than 1 year

Cookie opt-in: Optional

Advertising

Doubleclick

Who: Doubleclick.net

Purpose: Measuring the conversion. This anonymous information is used to determine the value of an advertising partner and to enable billing of advertising partners. This anonymous information is also used to build anonymous visitor segments, if an opt-in for this was given.

Purpose: Measuring the conversion. This anonymous information is used to determine the value of an advertising partner and to enable billing of advertising partners. This anonymous information is also used to build anonymous visitor segments, if an opt-in for this was given.

Purpose: Measuring the conversion. This anonymous information is used to determine the value of an advertising partner and to enable billing of advertising partners. This anonymous information is also used to build anonymous visitor segments, if an opt-in for this was given.

Purpose: Measuring the conversion. This anonymous information is used to determine the value of an advertising partner and to enable billing of advertising partners. This anonymous information is also used to build anonymous visitor segments, if an opt-in for this was given.

Purpose: Measuring conversions and making targeted offers on third-party websites. The anonymous conversion information is used to determine the value of various advertising partners on a central ad server, and this anonymous information is used to display targeted offers on third-party websites via this central ad server.

Purpose: Measuring conversions and making targeted offers on third-party websites. The anonymous conversion information is used to determine the value of various advertising partners on a central ad server, and this anonymous information is used to display targeted offers on third-party websites via this central ad server.

Purpose: Using dynamic remarketing in Analytics allows you to display remarketing ads for content or products that your users will most probably be interested in, based on the content or products they viewed in the past, related and best performing content and products, and their transaction history and demographics.

Purpose: Measuring conversions and making targeted offers on third-party websites. The anonymous conversion information is used to determine the value of various advertising partners on a central ad server, and this anonymous information is used to display targeted offers on third-party websites via this central ad server.

Purpose: Measuring conversions and making targeted offers on third-party websites. The anonymous conversion information is used to determine the value of various advertising partners on a central ad server, and this anonymous information is used to display targeted offers on third-party websites via this central ad server.

Purpose: Measuring conversions and making targeted offers on third-party websites. The anonymous conversion information is used to determine the value of various advertising partners on a central ad server, and this anonymous information is used to display targeted offers on third-party websites via this central ad server.